1. Introduction

1.1 Data controller and Data Protection Officer (DPO)

The Student Room Group Limited (TSRG).

TSRG is the controller for data processed through TSRMatters.com and associated marketing and sales activities.

• TSR Postal address: Imperial House, 2nd Floor, 40-42 Queens Road, Brighton,
  East Sussex, BN1 3XB
• TSR phone: 0800 999 3222
• Data Protection Officer Email address: data.protection@thestudentroom.com
• Contact form: https://tsrmatters.com/get-in-touch/

The best way to contact us, if you have a query, is initially via our online contact form.

1.2 Updates to this notice and your data

The privacy notice was last updated on: 02/11/2022

TSRG may update this privacy notice at any time to ensure it is correct and a true reflection of how TSRG process your personal data.

We encourage you to regularly check this page for any changes to stay informed about how we are using and protecting your personal data.

It is also important that the personal data we hold about you is accurate and current. At times, we may ask you to confirm or update your data when you use our website and services.

At other times, please also keep us informed if your personal data changes during your relationship with us – either through your account with us or by getting in touch.

1.2 Third-party links

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy notices. When you leave our website, we encourage you to read the privacy notice of every website you visit.

2.Data collection and data uses

2.1 General purpose

TSR Insight carries out market research on behalf of TSRG and specific external clients. The research could be via a survey, focus group, or interview.

2.1 TSRMatters website use

• Categories of data: usage data, technical data, location data
• While using the website, we will collect standard analytics data on how the website is used in order to inform us about how it’s used and how we can improve it.
• This will include the times you use the website, any clicks, any pageviews views and general browsing habits as well as data on your browser, device type and other technical information.
• IP addresses may also sometimes be collected.
• Effort is made to pseudonymise as much of this data as possible, so it cannot easily be linked to you.
• We rely on a legitimate interest for improving the website to process this data, however, you will have the option to ‘opt-out’ by not accepting cookies when using the website.

2.2 Cookies

• The TSRMatters website uses cookies, which are considered personal data.
• You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies.
• If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.
• For more information about the cookies we use, please see our cookie policy.

2.3 Form completion

• Categories of data: contact data, employment data, technical data, location data, opinion data
• Whenever you complete a form on TSRMatters or other third-party services we employ, we will be processing your data.
• Forms could include subscriptions to newsletters, getting in touch with us, for gathering feedback or other ad-hoc and campaign-specific reasons.
• Your data will be stored in our CRM systems and databases and only accessible to the people who need it.
• Each form will be clear as to the purpose of data processing and the data will only be used for the stated purpose.
• We process this data either on your consent at the time of completing the form or as a legitimate interest of TSR or yourselves.

2.4 Marketing and communications

• Categories of data: contact data, employment data, location data
• We may send marketing communications via email or over the telephone to inform you of the services and products we sell, or, to share information and insights that could be of interest to you.
• You can opt-out of these communications at any time, either by getting in touch with us or via the unsubscribe links in all our emails.
• We mainly rely on consent for communications, however, sometimes we may rely on a legitimate interest such as in the cases of letting you know about products and services similar to those you or your organisation have previously shown an interest in.

2.5 Ordering and delivery of products and services

• Categories of data: contact data, employment data, location data
• If you purchase products or services from us, then we will be processing personal data.
• This will include:
  • When we communicate with you to agree a sale
  • When we create and send out and insertion order via email
  • When we request or process payments
  • When we communicate with you to organise delivery and set up of a product or service and any follows or reporting
• We process this data to enter in to and fulfil the contract you or your organisation has entered it with us.

2.6 Purchasing or acquisition of marketing lists

• Categories of data: contact data, employment data, location data, financial data
• Occasionally, we may purchase or acquire marketing lists from third parties. This could include paid-form databases and event attendance lists.
• We will use these to lists to send marketing communications to you, but only when it is clear there has been informed consent given by you to do this.
• We will inform you at the time of communicating with you as to how we got your contact details.

 

2.8 Special categorise of data

We do not expect to be processing special categories of data in our relationship with you.

2.9 Other uses of your personal data

Your personal data will not be used for any purpose, other than those listed here, without your explicit consent, or unless permitted or required by law.

3. International transfers

Your personal data will not normally be transferred outside of the European Economic Area (EEA). However, in some cases, we may be required to do so. If this happens, it will always be with a third-party data processor and we will always ensure appropriate safeguards are in place and detailed in the contracts we have with the data processor.

Appropriate safeguards would normally be:

• the processor is based in a country having an adequacy ruling by the EU
• the processor is based in the US and is safeguarded by the US Privacy Shield

4. Sharing your data

We will not sell, trade or rent any of your personal data. We will not share your personal data, except in the following circumstances:

a) Third-party data processors

We may use third-party data processors to carry out limited and specific activities. We will ensure contracts are in place with all third-party processors. The contacts will contain all the clauses required by data protection law. Our current data processors are:

• Website analytics
  • To monitor the performance and usage of the TSRMatters website

• • Data can be transferred to the US and is safeguarded by Privacy Shield rules

• Customer relation management system (hosting and management)

• • To support our relationships with you from initial contact through to sales

• Email systems

• • To allow us to send and monitor marketing campaigns and service delivery emails

• Telephone service

• • VoIP service to performance and track phone calls for marketing and service delivery purposes

• Contracts and invoicing systems

• • To allow us to make and send contracts and invoices and to process payments

• Digital marketing agents
  • To conduct marketing activity on our behalf
    • Prospect Global Ltd (trading as SoPro)
    • Based in the UK
    • Privacy notice: https://sopro.io/legal/#privacy-policy
    • Data protection officer email: dpo@sopro.io
    • ICO Reg: Z123456

• Professional advisors

• Including lawyers, bankers, auditors and insurers who provide consultancy, legal, insurance and accounting services
  • Based in the EEA

b) Regulators or other authorities

Sometimes, official regulators or authorities may legally require information about our data processing. This will rarely require us to share personal data. If we need to share personal data, we would only ever share the minimum data the law requires us to share.

Your personal data will not be shared with any other third parties except those above.

5. Data security

We have put in place appropriate technical and organisational security measures. This is to prevent misuse of your data, including:

• your data being lost or changed
• your data being seen by someone who should not have access
• your data being used in ways not listed here

Only people at TSRG and third parties who have a need to use your data will have access. They will only process your personal data on the instruction of TSRG. They will also be subject to a duty of confidence.

We have put in place procedures to deal with any suspected personal data breach. This includes processes to notify you and any applicable regulator of a breach where we are legally required to do so.

6. Data retention

Personal data collected by TSRMatters, and through associated sales and marketing, will only be kept for as long as it is needed, depending on your relationship with us.

After this time, the data will be securely deleted or appropriately anonymised so it is no longer personal data but can still be used for statistical analysis.

There are two exceptions to these rules:

• You request the deletion of all your personal data
• There is another legal basis for keeping any of the data for longer, for example, the establishment or defence of a legal claim

If you require further information on our data retention policy, then please get in touch with us.

7. Children’s information

TSRMatters and the associated marketing communications are not aimed at anyone below the age of 18. In the UK a child is defined as being over the age of 13 for data protection laws.

We, therefore, do not knowingly process the personal data of any children.

This privacy notice has also been reviewed to ensure people aged 18 or above can understand it.

8. Your legal rights

Under certain circumstances, you have rights under UK law in relation to your personal data. You will not usually have to pay a fee to exercise these rights. We will usually respond within 30 days unless the request is particularly complex. When using these rights, we may also request more information from you. This will be to confirm your identity and ensure the security of personal data.

• Informed: you have the right to be informed about what personal data is processed, what it is used for, why we are processing it, who is processing it and your legal rights. This privacy notice is our way of informing you of this.

• Consent: where we rely on your explicit consent as the legal basis for processing your data. You have the right to withdraw that consent at any time and object to us processing your data.

• Access: you have a right to request a copy of the personal data we hold about you at any time.

• Correction: you have the right to request we correct any incomplete or inaccurate data we hold about you.

• Erasure: you have the right to request we delete any personal data we hold about you. Sometimes this might not be possible, e.g. if we are required by law to keep certain records, in which case we will tell at the time of your request.

• Objection to processing: in some situations, eg where we are relying on legitimate interests to process personal data or where we are using your data for direct marketing, you have the right to object to the processing. In some cases, we may demonstrate that we have compelling legitimate grounds to continue to process your data which override your rights and freedoms.

• Restriction of processing: you have the right to request we stop processing your data if:

• • You want us to establish the data’s accuracy
  • Where our use of the data is unlawful, but you don’t want us to delete it
  • Where you need us to hold the data, even if we no longer require it, as you need to establish, exercise or defend a legal claim
  • You have objected to our use of your data, but we need to verify overriding legitimate grounds.

• Data portability: you have the right to receive a copy of the personal data you have provided us, should you wish to transfer it to another data controller. The data we provide should be in a structured machine-readable format.

• Withdraw consent: at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Please use our contact form if you wish to exercise any of these rights: https://tsrmatters.com/get-in-touch/

You have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”). The ICO is the UK supervisory authority for data protection issues (www.ico.org.uk).

However, we would like the chance to deal with your concerns before you contact the ICO. Therefore, please do contact us in the first instance.